mozilla / addons-linter Goto Github PK
View Code? Open in Web Editor NEW๐ Firefox Add-ons linter, written in JavaScript. ๐
License: Mozilla Public License 2.0
๐ Firefox Add-ons linter, written in JavaScript. ๐
License: Mozilla Public License 2.0
htmlparser2 has better test coverage and seems more robust, so let's try to use it for RDF parsing instead of XMLDom.
It's possible to create a zip with 2 files being the exact same name. We need to detect that.
We need a way to either configure ESLint not to respect comments inside the code (usually in /* eslint nocheckforbadthing */
-type comments).
If that's not possible, we'll need to strip out all comments when we parse code or something so the code can't tell the validator to back off ๐
We've got a start on outputting JSON - we need to add something to output the rules in a nice way as just text with nice colours assuming boring is false.
From discussions we decide for the validation errors and warnings we need an object for each (they'll mostly be the same.
We're planning on using https://github.com/reworkcss/css for this. This bug is to stand-up some basic css checks with that parser.
Related to #78, we should keep our rules in single files (similarly to what we do with ESLint rules) so they are easy to find and we don't have massive validator classes full of methods.
I'll move the RDF ones that exist already.
The list of rules covers a bunch of tests that relate to files and how they're laid-out in the zip (xpi). We should write a list of those and start implementing them.
For use via amo it's important we can blow-up gracefully if a zip bomb is submitted for validation.
This will need breaking down further.
We need to know what addon-type we are dealing with as some validation tests are type-specific.
Write a first rule for: mozindexdb_removed, mozIndexedDB has been removed
We've discussed this being based around mocha + chai + plus a test runner.
Let's investigate what's state of the art in CSS parsing for Node. Then the next step will be to prototype out something simple and double check the chosen solutions looks fit for purpose.
Add express into the mix so we're starting to look at non-CLI based consumption of our code.
Initial steps are going to be to handle an incoming package and hand that off to the Validator.
Just a minor thought, but as we add separate scanners (CSS, JS, RDF), the root of src/
is getting crowded. It would be easier to see what files did what if they were grouped (ie put all scanners in a scanners/
folder.
So instead of:
- src/
- messages/
- rules/
- cli.js
- css.js
- javascript.js
- rdf.js
[etc.]
we can do:
- src/
- messages/
- scanners/
- css.js
- javascript.js
- rdf.js
- rules/
- cli.js
[etc.]
Deal with inability to process CSS due to parser errors.
There are a set of tests that read the first few bytes of a file to identify them.
There are existing HTML/Markup tests in the old validator, so we should hook up at least one to see what that looks like.
It's possible to create a Message with an empty opts
object, which we should just make sure to test against in the future when we decide on/add the required opts.
https://github.com/mozilla/addons-validator/pull/35/files#r40915475
This is a test case I hadn't considered in #44; I'll leave it here as a separate bug.
We should be sure bad JS like:
var = foo:
doesn't crash the validator.
Turns out this is the syntax_error
rule. This is a good one to implement early I think.
So that we can do easy substitutions.
We're going to need to handle any JS we come across whilst processing the HTML files.
Output from the tests is a bit noisy because we have console.log
calls inside the code path that aren't silenced for tests.
Realistically, we probably want an validator.config.output
option that is nothing
or null
.
Not sure when the CLI would ever want it, but it's what we want for the tests and we should already have the infra for it via that config.output
option.
Other console.log
should be silenced by this option. We probably just want to use our own log
method everywhere.
Before we go too far and add lots of rules I think it might be worth taking a step back briefly to look at what we have in terms of parsers and how they are integrated and make sure we are being as consistent in our approach as possible for each parser so far.
Kind of questions I have in mind are:
We can then file issues for any things that need to be changed if necessary.
Document the high-level flow of how the validator processes and code flows through the various scanners.
Presumably we're going to need to stick closely to the way the current validator outputs the results of a scan.
This classes job is to collect up warnings, errors and notice objects and provide an API for doing so.
Starting with the xpi:
I see the current validator isn't - but I wondered if that might make sense.
I've already made a few silly style nitpicks/raised some style questions in #20.
Shall we add some JS Style checks to the tests so we don't quibble over how we do long strings, line lengths, etc.?
It's worked well for localForage. Keeps styles in-line on the more fluid things eslint won't check.
Write a test that checks the number of rule files in rules/$VALIDATOR_TYPE
(eg: all files sans index.js
) and checks how many rules are run in $VALIDATOR_TYPE.scan()
. We can test this for at least the HTML and RDF checkers now, and could check the length of the ESLint rule list as well.
This makes sure of two things:
Currently we test for identifiers (#44), as the previous validator does. This leaves us open to obsfucation of restricted identifiers, eg:
var m = "m";
var o = "o";
var z = "z";
var idb = "IndexedDB";
var tricksterVariable = m + o + z + idb;
// Bad!
var myDatabase = window[tricksterVariable];
We need to statically analyse variable paths and find out their eventual values if they're used to dynamically call a function.
Failing this: we need to identify heuristics that we can use to say that obfuscation appears likely and alert the reviewer for closer manual inspection.
@andymckay, @mstriemer, and I talked about #49. What we actually need is to use the existing https://github.com/mozilla/olympia Django app as our API server (having multiple front ends is needless) to handle the Validator's API (eg: upload a file for validation -> get an ID -> query said ID for its validation status).
Do need to get the validator to run as a Celery task that can get data from the Django API (put into celery) and then send data back.
The API would return a status of the validation (processing/complete) with a series of messages/warnings/errors (as JSON, which the validator can already easily produce being a JS app).
Looking at the HTML and RDF scanner classes, they're nearly the same now that I've started on #79. Might be nice to define a "markup" scanner class and have them simply extend it (essentially the only difference is the parser used and the rules they're using).
There are going to be similar bugs in bugzilla for the existing validator, but basically whatever we need to do to make https://bugzilla.mozilla.org/show_bug.cgi?id=1210037 happen, we should repeat in this validator.
We're going to need a way to hand-off in-line CSS and style-blocks to the CSSParser when parsing the HTML
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.